Re: Client Isolation

Izac ICT · ‎05-14-2021

Dear all,

Could you please advise me client isolation examples in catalyst switch?

Can I achieve it with vlan access map for example first 50 IPs are servers and rest are client machines?

Maybe better ways?

Please advise me some examples.

Thank you.

Isac

Rob Ingram · ‎05-14-2021

@Izac ICT

It depends on what exact hardware you have, but yes you could use a VLAN ACL (VACL) or alternatively you could use TrustSec. Typically TrustSec is deployed and managed via ISE, but you can configure locally on the switch without using ISE.

Izac ICT · ‎05-14-2021

Hello @Rob Ingram

Do you have any trustsec examples to guide me or any links?

THank you.

Isac

Rob Ingram · ‎05-14-2021

@Izac ICT

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html

https://community.cisco.com/t5/security-documents/trustsec-troubleshooting-guide/ta-p/3647576

Izac ICT · ‎05-17-2021

I've read them but they are too general. What I need is in 192.168.33.0/24 subnet, allow access to server IPs 192.168.33.1-70 and block rest (192.168.33.71-255) to talk each other in VLAN33. Of course it would be great to allow access to fileserver on only SMB port etc.

Can it be achieved with trustsec, any example?

I'm sorry for asking example because I worked mostly on routing in Cisco and security on Juniper only.

Rob Ingram · ‎05-17-2021

@Izac ICT Other than the cisco guides there isn't much information for a manual implementation of trustec (short of writing it myself), most examples are for management via ISE. Perhaps use a VACL, in which case here is an example:-

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/503_u2_2/b_Cisco_n3k_security_cg_503_u2_2_chapter_01001.html

https://ciscoskills.net/2017/11/20/vlan-access-lists-vacls/